Dustin C. Hatch
a0a4b91faf
The *filter* table is responsible for deciding which packets will be accepted and which will be rejected. It has three chains, which classify packets according to whether they are destined for the local machine (input), passing through this machine (forward) or originating from the local machine (output). The *dch-gw* role now configures all three chains in this table. For now, it defines basic rules, mostly based on TCP/UDP destination port: * Traffic destined for a service hosted by the local machine (DNS, DHCP, SSH), is allowed if it does not come from the Internet * Traffic passing through the machine is allowed if: * It is passing between internal networks * It is destined for a host on the FireMon network (VPN) * It was NATed to in internal host (marked 323) * It is destined for the Internet * Only DHCP, HTTP, and DNS are allowed to originate from the local machine This configuration requires an `internet_iface` variable, which indicates the name of the network interface connected to the Internet directly.
100 lines
1.6 KiB
YAML
100 lines
1.6 KiB
YAML
dch_networks:
|
|
jazz:
|
|
description: Legacy network
|
|
vlan_id: 1
|
|
ipv4_address: 172.31.0.0/27
|
|
router_iface: vlan1
|
|
dns_search:
|
|
- pyrocufflink.jazz
|
|
dns_servers:
|
|
- fd99:8dc7:6528::10:1
|
|
- fd99:8dc7:6528::100:1
|
|
dns_servers_v4:
|
|
- 172.31.0.4
|
|
- 172.31.0.10
|
|
sla_id: 1
|
|
|
|
blue:
|
|
description: pyrocufflink.blue AD domain members only
|
|
vlan_id: 30
|
|
ipv4_address: 172.30.0.0/26
|
|
router_iface: vlan30
|
|
sla_id: 0
|
|
|
|
red:
|
|
description: Non-domain member machines
|
|
vlan_id: 101
|
|
ipv4_address: 172.31.1.1/24
|
|
router_iface: vlan101
|
|
sla_id: 101
|
|
|
|
guest:
|
|
description: Guest Wi-Fi
|
|
vlan_id: 100
|
|
ipv4_address: 172.24.100.0/24
|
|
router_iface: vlan100
|
|
|
|
dmz:
|
|
description: DMZ
|
|
vlan_id: 254
|
|
router_iface: vlan254
|
|
|
|
|
|
firemon_networks:
|
|
- 192.168.0.0/16
|
|
- 172.28.33.0/24
|
|
|
|
|
|
nat_port_forwards:
|
|
- protocol: tcp
|
|
port: http
|
|
destination: 172.31.0.6
|
|
- protocol: tcp
|
|
port: https
|
|
destination: 172.31.0.6
|
|
- protocol: tcp
|
|
port: ssh
|
|
destination: 172.31.0.5
|
|
- protocol: tcp
|
|
port: rsync
|
|
destination: 172.31.0.5
|
|
- protocol: udp
|
|
port: 16881-16999
|
|
destination: 172.31.0.5
|
|
- protocol: udp
|
|
port: isakmp
|
|
destination: 172.31.0.2
|
|
- protocol: udp
|
|
port: ipsec-nat-t
|
|
destination: 172.31.0.2
|
|
|
|
|
|
allow_incoming:
|
|
- protocol: udp
|
|
port: domain
|
|
- protocol: tcp
|
|
port: domain
|
|
- protocol: udp
|
|
port: bootps
|
|
- protocol: tcp
|
|
port: ssh
|
|
|
|
|
|
allow_outgoing:
|
|
- protocol: udp
|
|
port: ntp
|
|
- protocol: udp
|
|
port: dhcpv6-server
|
|
- protocol: udp
|
|
port: bootps
|
|
- protocol: tcp
|
|
port: https
|
|
- protocol: tcp
|
|
port: http
|
|
- protocol: udp
|
|
port: domain
|
|
- protocol: tcp
|
|
port: domain
|
|
|
|
trace_dropped: true
|